Fwd: Exfiltrated NSE script

[Jacek Wielemborek <wielemborekj1 () gmail com>]

Hi guys,

While browsing the (not maintained anymore) h-online.com website, I
once encountered this news:

http://www.h-online.com/security/news/item/Search-engine-available-for-Internet-Census-2012-data-1866057.html

While browsing the data available here, I noticed I could easily run a
scan on my university address range and get results immediately,
without sending to it a packet from any source address. The obvious
catch here is that the Internet Census 2012 data aren't exactly most
up to date, but I believe that they still could be useful. Especially
that we got a permission from the exfiltrated.com site administrator,
so we don't have to store the data anywhere.

I have to admit I have no idea about the legal point of view of using
that data, so it's one of the things I'd like to hear about from you.
> From my point of view, it's not us that grabbed data and we'd
basically write a script to just grab it from a website, so perhaps
it's all okay?

The way I see the script, there are three use cases I can think of.
One would involve skipping the SYN scan altogether and using
exfiltrated data to fill out the port status, setting the "reason"
field to "exfiltrated.com". We could also add the ports to the to-scan
list to include them even if they're not in the default top 1000. The
last option is to compare our scan results to the historical data from
IC2K12 results. What do you think about it?

Below is the original e-mail from Wesley, along with my e-mail to him
as well. I CC'ed this message to him too.

Yours,
Jacek Wielemborek

---------- Forwarded message ----------
From: Wesley <wesley () exfiltrated com>
Date: 2013/8/28
Subject: Re: Exfiltrated NSE script
To: Jacek Wielemborek <wielemborekj1 () gmail com>
DW: Wesley W <wesley () exfiltrated com>


Hi Jacek,

I would not mind at all if you would like to make a NSE script to
query my website!  Currently my web host is terrible, and I've had
delays in moving it to a better hosting provider.  I do hope to have
my hosting situation sorted out soon, so the traffic situation should
not be an issue.  Ideally I would just get you to add something like
"?source=NSE" to each request so that if traffic was overwhelming the
server I could easily filter it out and provide some sort of helpful
error message to people.  Currently the SYN results are the least
intensive to query from the server, and the DNS are the most
intensive, so that works in our favour too.

Let me know if you need any help along the way, and thanks for
checking with me first!

Regards,
Wes


On Mon, Aug 26, 2013 at 10:03 AM, Jacek Wielemborek
<wielemborekj1 () gmail com> wrote:
> Hi Wesley,
>
> Would you mind if I wrote (or inspired my friend to write) an Nmap NSE
> script that would have a look at exfiltrated.com for SYN scan results
> and display them? I could probably make it nondefault if you're
> worried about too much traffic.
>
> Yours,
> Jacek Wielemborek
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/